About The Northwest Policyholder

A Miller Nash Graham & Dunn blog, created and edited by Seth H. Row, an insurance lawyer exclusively representing the interests of businesses and individuals in disputes with insurance companies in Oregon, Washington, and across the Northwest. Please see the disclaimer below.

Friday, August 21, 2015

Oregon Court Rejects Insurer's "Trained Monkey" Defense

In order to avoid providing a defense to an insured, insurance companies often argue that the complaint or demand does not clearly allege covered damage.  I call this the "trained monkey" defense - essentially, the insurance company's position is that it is only required to do what a trained monkey might do, which is read the words printed on the page.  No analysis, no thinking, no investigation.  Oregon's courts have rejected this type of argument time and again, but insurance companies persist, because of the lack of downside risk to denying a defense under Oregon law.  A new decision from the Court of Appeals may help convince insurers that the "trained monkey" defense will simply not work.

In West Hills Development v. Chartis Claims, Inc. & Oregon Automobile Ins. Co., the "trained monkey" argument played itself out in the context of additional insured coverage.  West Hills was the general contractor on a residential development, and was an additional insured of one of its subcontractors, L&T.  When West Hills was sued by homeowners, it tendered to the defense to L&T's carrier, Oregon Auto.  Oregon Auto refused, and West Hills sued to recover a portion of its defense costs.  Oregon Auto argued, among other things, that the homeowners' complaint did not identify L&T as a subcontractor on the project.  The complaint alleged that West Hills was liable for not supervising subcontractors generally, but didn't identify any subcontractors by name.  Therefore, argued the insurer, how were they supposed to know that the tender from West Hills on the L&T policy was legitimate?

The problem for Oregon Auto was that the tender had been done carefully, by West Hills' counsel, and the tender told Oregon Auto that L&T was the subcontractor responsible for some of the deficiencies alleged in the complaint.  But Oregon Auto argued that under Oregon's "eight-corners" rule it wasn't required to investigate whether that statement in the tender letter (which Oregon Auto claimed was mere "argument") was true.  Instead it could pull the "trained monkey" routine and blithely deny coverage.

Nonsense, said the Court of Appeals.  Relying on the long line of Oregon cases requiring insurers to resolve any ambiguity in favor of coverage (including ambiguity about identification of insureds), and also on Fred Shearer & Sons v. Gemini Insurance, a 2010 decision, the court held that Oregon Auto had a duty to investigate the statement in the tender letter about L&T's role.  In the Fred Shearer case the court adopted a limited exception to the "eight corners" rule when the identity of a proposed insured is not clearly alleged in the complaint.  The West Hills court applied the logic of Fred Shearer to additional insured coverage.

The West Hills decision addressed several coverage issues; the "trained monkey" defense is only one.  However, its most lasting impact may be its clear statement that an insurance company has a duty to investigate facts tending to show that coverage is available, and analyze the allegations in a complaint, not just read the complaint for magic words.

Tuesday, July 28, 2015

Absolute Pollution Exclusions Are Not Absolute

Insurance is a crucial source of funding for most environmental cleanups. For the past 30 years, comprehensive general liability insurance policies have uniformly included an "absolute pollution exclusion" in some form or another. The earliest such exclusions appeared in the 1950's, but they became ubiquitous boilerplate in the mid-1980s. As a result, most applicable environmental coverage is found in policies pre-1985, and many policyholders incorrectly assume that their post-1985 policies provide no such coverage. This assumption stems from a string of court decisions finding that absolute pollution exclusions eliminate coverage for traditional industrial pollution under Oregon law. Martin v. State Farm Fire & Cas. Co., 146 Or. App. 270, 275-80, 932 P.2d 1207 (1997); Ind. Lumbermens Mut. Ins. Co. v. W. Or. Wood Prod., Inc., 268 F.3d 639 (9th Cir. 2001). While absolute pollution exclusions are broad, and often do exclude pollution from traditional sources, they do not eliminate all coverage for environmental claims, and policyholders should thoroughly review each of their policies to determine whether coverage exists.

Most absolute pollution exclusions are incorporated into standardized forms and use language originally written by the Insurance Services Office (the "ISO"). The ISO's pollution exclusion, which is widely referred to as the "absolute pollution exclusion," actually expressly creates coverage in certain circumstances. For example, the ISO's exclusion does not apply if contamination results from a "hostile fire" or from a failure of equipment used to heat, cool, or dehumidify a building. While the factual scenarios in which express coverage is created are limited, a policyholder should determine whether any such scenarios apply. Even if only part of the environmental claim falls within the scope of express coverage, the insurer may be required to provide a full defense under Oregon law. While the scenarios where coverage is expressly not excluded are few, it is important to review each such scenario at the outset to ensure that no coverage is missed.

Another important analysis is whether the environmental claim involves a pollutant as defined by the policy. If the contamination does not result from the release of a "pollutant," the exclusion typically will not bar coverage. The ISO exclusion includes a very broad definition of what constitutes a pollutant. While many courts have given the term "pollutant" a very broad interpretation, other courts have interpreted "pollutant" to include only traditional or inherently dangerous contaminants. MacKinnon v. Truck Ins. Exch., 31 Cal. 4th 635, 73 P.3d 1205, 3 Cal Rptr. 3d 228 (2003); In re Hub Recycling, Inc., 106 B.R. 372 (D.N.J. 1989). Determining whether a released substance is a pollutant often requires a review of how the substance was used and how it has impacted the property. While many courts have addressed whether commonly applied products, such as pesticides, can be considered pollutants, many of these questions remain unanswered under Oregon law. If contamination has resulted from something other than the accidental release of a regulated substance, a policyholder may have coverage despite the inclusion of an absolute pollution exclusion by showing that the substance is not a "pollutant."

Policyholders also need to be on the lookout for policies that include purported absolute pollution exclusions that do not utilize standardized ISO language. While most policies include standardized ISO exclusions, some insurers have used individualized exclusions that apply less broadly. For example, some of the early insurer-specific absolute pollution exclusions apply only to releases into waterbodies or to claims brought by government authorities. In these cases, coverage remains in place for releases onto land or claims brought by corporations. Insurer-specific absolute pollution exclusions are most commonly found in policies from the 1980s, but a policyholder may run into them at any time.

While absolute pollution exclusions often leave an insured without coverage, they are not as ironclad as their name suggests. The policyholder facing an environmental claim should retain coverage experts as soon as possible to determine which policies create coverage, including those policies that include purported absolute pollution exclusions.

           

Friday, July 24, 2015

Neiman Marcus Data Breach Decision Portends Greater Risk for NW Companies, Need for Cyber Coverage

Earlier this week the Seventh Circuit Court of Appeals, in Illinois, issued a momentous decision for those of us who keep tabs on data breach litigation nationwide.  The decision in Remijas v. Neiman Marcus reinstated class action claims by thousands of shoppers who had their credit card data stolen.  Reversing a trend in the case law driven by a 2013 Supreme Court decision (the Clapper decision), the Seventh Circuit held in effect that even if some class members had not yet experienced a loss of money due to their personal information being stolen, they still had standing to pursue claims for compensation, including for the time and aggravation of having to obtain replacement credit cards, put in place credit monitoring, and take other steps to protect themselves.  It did not matter, said the court, that all of the consumers who had experienced fraudulent charges on their cards had been reimbursed by their banks, that Neiman Marcus had agreed to pay for credit monitoring, or that the consumers could not conclusively rule out that their credit card account information had been stolen in a different hack (e.g. Target).

This decision is only binding in the federal districts within the Seventh Circuit, but as Kevin LaCroix has pointed out in his blog, as a first-in-the-nation decision from an appellate court in this exact scenario, it is likely to be influential.  That is even more true for claims brought in the Northwest, for two reasons.

First, the Seventh Circuit cited extensively to a decision from the Northern District of California in the Adobe Systems data breach case, In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014).  (That decision is available here.)  The Adobe decision relied on pre-Clapper case law from the Ninth Circuit, and has already been cited twice this year to support a finding of standing in a data breach/data privacy class action, the first brought by Sony employees, and the second by users of the Google Wallet.  Those cases had already established the Ninth Circuit (and therefore the Northwest) as a favorable venue for data breach class actions.

Second, the Premera Blue Cross class action complaints involving the massive data breach at that company, and involving claims under Oregon and Washington law, have all been consolidated in the federal court in Oregon, and have been assigned to Judge Michael Simon.  Judge Simon, a former Perkins Coie partner, is inclined toward issuing cerebral and thoroughly-reasoned decisions that often have a pro-consumer bent.  I would not be surprised to see a lengthy decision from Judge Simon in the near future along the lines of the Seventh Circuit's decision, giving plaintiff's lawyers a road map for obtaining standing in data breach cases and how to properly bring claims under Oregon and Washington law.

What does any of this have to do with insurance?  Well, if you are a non-Northwest company with operations in the Northwest looking at cyber insurance, and trying to assess company-wide risk, you cannot rely on decisions from courts in your "home" jurisdiction that have made it hard for these types of claims to go forward.  If you are a Northwest business that handles a lot of consumer data, the risk of a class action in the event of a breach just went up a little but.  Even if the claims are absolutely meritless, they will get past the motion to dismiss stage, which means that defense costs will be considerable.  All of that should be fodder for your next conversation with your insurance and legal advisers about your company's cyber-coverage, and particularly defense cost coverage and limits.

Update: As reported by my colleague Brian Sniffen in our blog IP Law Trends, Neiman Marcus has now requested en banc review of this decision.  En banc review is rarely granted.

Certain cases reprinted from WestlawNext with permission of Thomson Reuters.  If you wish to check the currency of this case by using KeyCite on WestlawNext, then you may do so by visiting www.next.westlaw.com.

Tuesday, July 14, 2015

Oregon Duty to Defend is Very Broad, as Shown in Two New Cases

Two new decisions from federal courts in Oregon demonstrate just how broad an insurance company's contractual duty to defend its insured truly is.  These decisions should be helpful to policyholders in fighting back against denials of coverage.  Wrongful denials of defense are unfortunately common in Oregon, due to the absence of a meaningful bad faith remedy for most breaches of the duty to defend.  But cases like these demonstrate that if an insured goes to court, more often than not the insured will win.  That may dissuade some insurers from making the wrong decision when it comes to defending.

In the first case, Portland General Electric v. Liberty Mutual Ins. Co., the issue was whether it was appropriate for the court to read an underlying complaint as implying a fact, even though the complaint did not allege the fact directly.  The court said "yes."

Portland General hired a contractor to work on some of its equipment.  The contractor was required to add Portland General as an "additional insured" on its liability policy.  When one of the contractor's employees was injured on the job, he sued Portland General.  (He could not sue his employer, the contractor, because of the workers-compensation exclusive-remedy bar).  Portland General demanded that the contractor's insurer, Liberty Mutual, provide it with a defense.  Liberty Mutual refused, citing Oregon's anti-indemnity statute.  To put it in simple terms, because of the anti-indemnity statute Liberty Mutual could not insure Portland General for Portland General's own negligence.  However, Liberty Mutual could provide coverage to the extent that Portland General were being held liable for the contractor's negligence.  But the employee's lawsuit didn't say anything about the contractor being negligent, making it appear (at least to Liberty Mutual) that Portland General was being sued only for its own negligence.

However, there were allegations in the complaint that some of the equipment chosen for the job was improper, and that clothing worn by the employee also contributed to the accident.  The complaint didn't say who provided the equipment or the clothing.  The court found that even though only Portland General was sued, and the complaint never mentioned the contractor, it was reasonable to infer that the contractor could have provided those items, and therefore that the contractor was at least somewhat negligent.  Because the complaint did not allege only negligence by Portland General, and alleged by implication some negligence by the contractor, the insurer had a duty to defend.

In the second case, Norgren v. Mutual of Enumclaw, District Court Judge Michael Simon took the unusual step of rejecting the recommendation of a Magistrate Judge (Judge Stacie Beckerman), who had ruled in favor of the insurer.  Judge Beckerman held that the insurer had no duty to defend a homeowner against a suit alleging that the homeowner's son assaulted another child, finding that the "intentional acts" exclusion applied to all of the claims against the insured, even to a claim entitled "negligent infliction of emotional distress," because the specific facts alleged all included some element of intent to act.  Judge Simon pointed out, however, that the complaint made other allegations that could be interpreted as alleging mere negligence - even though those allegations were conclusory, and more legal contention than statements of fact.  Judge Simon therefore found a duty to defend.

These two decisions take the famous phrase from Ledford v. Gutoski that in Oregon "any ambiguity in the complaint... is resolved in favor of coverage" and put it into action.  They exemplify the correct approach to Oregon duty to defend questions, which is to scour the complaint for potentially covered claims, rather than generalize about the allegations.  In each case the court rigorously analyzed every contention in the complaints, and resolved every ambiguity in favor of a defense obligation.  It can only be hoped that these two new rulings will help insurers understand that they take a considerable chance if they deny a defense, and that the better course, whenever there is any doubt, is to comply with their contractual defense obligations.

Wednesday, July 1, 2015

Ninth Circuit Hands Oregon Policyholders a Major Win on"Known Loss"

In a June 25, 2015, to-be-published decision in Kaady v. Mid-Continent Casualty Co. the Ninth Circuit adopted a decidedly pro-policyholder interpretation of the oft-contested "known loss" provision that is standard in commercial general liability (CGL) policies, holding that an insured's knowledge of damage to one part of a structure does not allow an insurer to deny coverage for  damage to other parts of the same structure or for a different type of damage to the structure.

Kaady, a masonry subcontractor, installed manufactured stone and masonry caps at a condominium project on Mount Hood.  After the project was complete Kaady was notified that there were cracks in the stone that he had installed.  Later that year Kaady bought a liability policy from Mid-Continent.  Kaady was then sued by the condo association, which alleged that his defective work had contributed to water damage to wood sheathing behind the manufactured stone, and to deck posts on which the masonry caps were sitting.

Mid-Continent denied coverage for those damages under its policy’s "known-loss" provision,  which stated that the policy “applies to . . . property damage only if . . . no insured . . . knew that the . . . property damage had occurred, in whole or in part.”  The policy also excluded coverage for property damage that is a "continuation, change or resumption" of "such [known] property damage."  The policy defined "property damage" in part as "physical injury to tangible property."

In the coverage lawsuit suit the insurer advanced two arguments to justify its denial:  1) that prior knowledge of  any damage to a structure means that any other damage to the same structure is a "known loss;" and 2) that the damage to the sheathing and posts was a "continuation change or resumption" of the cracking that the insured knew about.  The District Court granted summary judgment for Mid-Continent based on the known-loss provision.  The Ninth Circuit reversed.

The insurer argued that the policy's references to "property" and "tangible property" included all portions of that "property," and therefore that knowledge of damage to one portion of "the property" could be attributed to all later damage to that property.  The appeals court disagreed, pointing out that that interpretation conflicts with the way "property" is used throughout CGL policies.  Standard-form policies distinguish between different types of "property" and rely on those distinctions to exclude some kinds of "property" from coverage, such as the insured's own "work" while providing coverage to other kinds of "property."  Therefore, to be consistent, the known-loss provision must operate to allow coverage for damage to some "property" even if the insured knew about damage to other "property" within the same structure.  Moreover, because the known-loss provision talks about knowledge of "the property damage," any damage different in type than the damage about which the insured had knowledge is not excluded by the policy.  In Kaady the damage (deterioration) to the sheathing and deck posts was different in type from the cracking that the insured knew about before buying the policy.

The court also rejected the second argument, holding that Mid-Continent had the burden on summary judgment of proving, through evidence, that the damage to the sheathing and posts was caused by the same cracks that the insured knew about before he bought the policy.  The insurer had failed to put on such evidence, and so summary judgment should not have been granted.

In this decision the Ninth Circuit adopted arguments that have been advanced by policyholders for years, but had not been the subject of a published Oregon state court ruling, creating some uncertainty.  "Known-loss" disputes come up with some frequency, because Oregon law requires property owners to give notice to contractors of alleged defects and an opportunity to cure, and because "punch-list" provisions in standard construction contracts often require owners to give contractors an opportunity to fix problems that occur soon after construction.  This decision will therefore make it difficult for insurers that operate in good faith to deny claims based on "known loss."


Tuesday, June 9, 2015

Montana Case on Late Notice Calls Into Doubt Technical Coverage Defenses

In a new decision the Montana Supreme Court has confirmed that in order to avoid its coverage obligations based on a technical defense such as late notice, a liability insurer must show that it suffered "prejudice."  The case is a good illustration of courts' general skepticism toward "technical" coverage defenses asserted by insurers, but also of how the details of any particular lawsuit -- or settlement -- can complicate the coverage analysis. (I first wrote about this case in July of last year).

The decision in Atlantic Casualty v. Greytak  essentially restores the status quo about the "notice-prejudice rule" in Montana.  Under the notice-prejudice rule the insurer must show that its ability to defend the case and prevent a large judgment against the insured was materially harmed by the late notice.  The trial court in the Greytak case decided that a 2011 decision from the Montana Supreme court, Steadele v. Colony Insurance had overturned Montana law adopting the rule, making the prompt notice  provision in a standard liability policies a "condition of forfeiture," meaning that the insurance company did not need to prove prejudice.   On appeal, the Ninth Circuit certified that narrow legal question to the Montana Supreme Court.

In Greytak the insured was sued for negligence leading to property damage.  The claimant and the insured entered into an agreement whereby the insured would tender the claim to its liability carrier, and if the insurer did not pick up the defense or file a declaratory judgment action the claimant could enter a stipulated judgment against the insured, but agree to only pursue collection from the insured's insurance.  The insured tendered the claim and the carrier did not pick up, whereupon a stipulated judgment was entered in state court.  (The facts are disputed about whether the claimant was actually entitled to file the stipulated judgment, because the insurer had filed a declaratory judgment lawsuit before the state-court judgment).  The state-court judgment was set aside and the coverage action proceeded.

The Montana court clarified that Steadele did not reverse the law on the "notice-prejudice rule," pointing out that in Steadele the Court had found that the insurer was prejudiced as a matter of law, because the insured had stipulated to a monetary judgment before the insurer was given any notification.  In Greytak, by contrast, the parties' agreement allowed the insurer the chance to step in and defend, which it did not do.

The "notice-prejudice rule" is clearly established as the law in Oregon (Lusch v. Aetna), Washington (Canron v. Federal Insurance), and Alaska (Weaver Bros. v. Chappel). 

Interestingly, all of the Montana justices agreed about the notice-prejudice rule, but there were two dissenting opinions.   The dissents argued that the court should have gone beyond the narrow question certified by the Ninth Circuit to find that the insurer was prejudiced as a matter of law by the insured's and the claimant's conduct.  The insurer's briefs on appeal argued strenuously that it had indeed been prejudiced because the insured failed to cooperate with it after it attempted to appoint defense counsel, and because the claimant had filed the state-court judgment in violation of the settlement agreement.  The Montana Supreme Court's majority elected not to go beyond the certified question, however, leaving the issue of actual prejudice up to the federal trial court to resolve.  In light of what the trial court did below, I would say that things don't look good for the claimant on that score.

Wednesday, May 27, 2015

Lessons From CNA's Suit to Avoid Covering a Hospital Cyber-Breach

A few weeks ago the insurance-coverage community experienced a watershed event: the first publicized lawsuit by an insurer for a declaration of "no coverage" under a cyber-insurance policy.  The case is Columbia Casualty Company v. Cottage Health Systems, filed in the Central District of California, and the issue is the insured's compliance with a pledge that it would use "minimum required" data-security practices.  This case holds important lessons for those considering cyber coverage - chiefly, be careful what you say in your application, and don't think that your insurer is going to treat you with kid gloves just because cyber coverage is a new product.

(NB: although we wouldn't normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)

The Cottage Health data breach was caused by user error, which is reported to be the leading cause of data security incidents across all sectors of the economy.   Cottage is a three-hospital health system in the Santa Barbara area.  According to published reports, the hospital contracted with an IT firm, "InSync," to put medical records on a File Transfer Protocol ("FTP") server so that they could be accessed remotely, but no-one made sure that access to the records was locked-down to credentialed people only, or encrypted.  As a result the FTP files were available to Google's search "bots", and could be found by using a Google search.  Reportedly only after someone reported the issue to the hospital was the error caught.  A class-action suit against Insync and Cottage followed, alleging (among other things) violations of California's Confidentiality of Medical Information Act.  Apparently the state DOJ is also investigating possible HIPAA violations.

Cottage's cyber-liability insurer, Columbia Casualty (owned by mega-insurer CNA), picked up the defense, and even funded a $4.1 million settlement with the class, but under a reservation of rights.   In the new coverage lawsuit CNA is suing Cottage to get the settlement money -- and all of its defense costs -- back from Cottage.

CNA, like many insurers, required Cottage to fill out a detailed cyber coverage application and "self-assessment" which involved answering a host of questions about IT security practices.  Most of the questions were broadly worded, such as "Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?"  A few of the questions were more specific, however, such as whether Cottage routinely changed default software settings if required to make systems secure.  The application also addressed the use of vendors, including questions about whether Cottage required its third-party vendors to observe the same or stricter security practices as those used by Cottage, and whether Cottage required vendors to have cyber-liability insurance.  (Cottage of course answered "yes" to all questions.) 

The application and the policy itself contained several kinds of "warranties" about Cottage's compliance with security standards, and the policy contained an exclusion that coverage would not be provided for damages resulting from "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . ." (emphasis added).

CNA claims that Cottage's "yes" answers on the application were false or that if the answers were true when the application was made, Cottage subsequently failed to "maintain" those practices.  Although CNA's complaint does not specifically say what Cottage didn't do that it should have done, reading between the lines it appears that CNA is focusing on three contentions: first, that the breach occurred because the vendor, InSync, failed to change the default FTP setting on the server software from "open access" to password-only access; second, the medical data was not encrypted on the server; and third, that Cottage did not make sure that InSync had cyber insurance coverage of its own.

This is something of a nightmare scenario for those of us who advise policyholders on cyber liability and coverage.  There are several "weak links" when it comes to cyber, and this case appears to hit on several of them.

First, because there is so little claims history in the "cyber" world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed "self-assessments."  That's not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems.

Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies.  Vague language allows the insurer to argue after the fact a particular meaning that favors them.  We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and "enhanced" its "risk controls in response to changes."  What does that mean?  Does that mean that if there is an increase in "spear-phishing" attacks the company must eliminate the use of email?  Or is it good enough to adopt published "best practices" - a rule of reasonableness?  Those are the kind of questions that may be litigated in this case - questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage.

Third, vendors.  Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance.  What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices.  That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant.  It is also particularly difficult to ensure, as the CNA application asked, that every vendor "maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality" when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer.

In this case it appears that CNA is trying to avoid coverage using Cottage's "warranty" to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach.  That is, of course, exactly why a business buys liability insurance - to cover an accident caused through negligence.  The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage.  In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers.

To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate "warranty" language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor's insurance policies and security practices.  Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.